End-to-end privacy ecosystem

ABSTRACT

A system includes one or more privacy vaults. At least one of the one or more privacy vaults is associated with at least one individual user, stores contents associated with the associated at least one individual user, and stores specific identification of a plurality of third-party entities, authorized to access at least a portion of the contents stored by the one or more privacy vaults, along with access permissions, one or more of the access permissions defined for each of the plurality of third-party entities. At least one of the access permissions defines accessibility of the contents for at least one of the plurality of third-party entities for which the at least one access permission is defined.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. provisional application Ser.No. 63/239,215 filed Aug. 31, 2021, the disclosure of which is herebyincorporated in its entirety by reference herein.

TECHNICAL FIELD

The illustrative embodiments generally relate to an end-to-end privacyecosystem.

BACKGROUND

Digital user privacy, consumer data collection and data monetization arebecoming ever-more prevalent issues in modern society. Computingdevices, software, hardware, and websites continually gather data onusers to build profiles, offer advertisements, and plan strategies. Manytimes, users are not even aware of what data is being gathered and howthat data is being used, and software or websites may frequently offerservices in exchange for data, such as a “free” search engine or socialmedia site that exchanges services for gathering of user data.

For a long time, users were willing to accept these services in exchangefor the data, believing the data to be limited in scope, the use andbusiness-to-business sharing of the data to be limited in scope, orbeing unaware of the true value of their personal data in the aggregate.The financial success of these services, predicated largely on data, hasrevealed some of the true value of user data. At the same time, datagathering and processing has grown much more sophisticated, allowing forthe unlocking of significant value in large data sets about individualusers and groups of users.

Problematically, users have already often agreed to have this datagathered and enjoy using the free services. Moreover, users stillfrequently have no idea as to what data is or was gathered about them.Far more than a simple location or demographic, these data sets canrange far and wide, and user behavior itself is often monitored andcompiled into complex evaluations of what that user represents in termsof merchant or advertiser opportunity. At the same time, there arelimited opportunities to determine what data has been gathered and howthe data is being used, and most frequently the impact and scope isobserved anecdotally, where a user continually sees advertisements, forexample, that appear to be highly targeted. The scope of data is alsohinted at when software provides recommendations and seems almostprescient in its understanding of what the user would like.

While many users may not object to the targeted and precise nature of atleast some of these incidents, and may even welcome them in some cases,such as a requested and subsequently on-point recommendation, many usersmay ultimately be somewhat disturbed at the scope and scale of their ownpersonal information stored and used to assemble these offerings. But,since users can never see the backend data store, and since theytypically lack granular control over data, and/or notification when andwhat data is specifically gathered, people tend to remain somewhatblissfully ignorant, even if they would be distressed if they saw thevolume of personal information being gathered, understood the value ofwhat they were exchanging, and understood the full scope of theconclusions that were being drawn about them. Because it may be rarethat the user's data is used exclusively to provide a requested andsubsequently on-point recommendation, consumers may ultimately prefer asolution that provides better optics into usage, consumer-centriccontrol and permissioning of such usage and value-sharing opportunitiesrelated to a consumer's personal information.

SUMMARY

In a first illustrative embodiment, a system includes one or moreprivacy vaults, wherein at least one of the one or more privacy vaultsis associated with at least one individual user, stores contentsassociated with the associated at least one individual user, and storesspecific identification of a plurality of third-party entities,authorized to access at least a portion of the contents stored by theone or more privacy vaults, along with access permissions, one or moreof the access permissions defined for each of the plurality ofthird-party entities, at least one of the access permissions definingaccessibility of the contents for at least one of the plurality ofthird-party entities for which the at least one access permission isdefined.

The system further includes one or more processors configured to providegateway services for accessing contents stored by the one or moreprivacy vaults, including handling access requests, for contents fromthe one or more privacy vaults, wherein an access request, from the atleast one third-party entity, is handled in accordance with at least oneof the access permissions defined for the at least one third-partyentity in each of a plurality of target privacy vaults from which the atleast one third party entity requests information, to fulfil the accessrequest for the information from a respective target privacy vaultaccording to the policy defined for the at least one third-party entityby the respective target privacy vault.

In a second illustrative embodiment, a system includes one or moreprivacy vaults, wherein at least one of the one or more privacy vaultsis associated with at least one individual user, stores contentsassociated with the associated at least one individual user, and storesspecific identification of a plurality of third-party entities,authorized to access at least a portion of the contents stored by theone or more privacy vaults, along with access permissions, one or moreof the access permissions defined for each of the plurality ofthird-party entities, at least one of the access permissions definingaccessibility of the contents for at least one of the plurality ofthird-party entities for which the at least one access permission isdefined.

The system also includes one or more processors configured to providegateway services for accessing the contents stored by the one or moreprivacy vaults, including handling access requests, including at leastaccess requests from at least one third-party entity of the plurality ofthird-party entities. The one or more processors are also additionallyconfigured to provide audit services including obtainingcontent-retention information, identifying what contents, of outboundcontents from at least one audit-target privacy vault and that wereprovided responsive to an access request from a requesting third-partyentity, were retained remotely by the requesting third-party entity, andcomparing the identified contents to the access permission of the atleast one audit-target privacy vault defined for the requestingthird-party entity to determine if the identified contents werepermissibly retained in accordance with the access permission.

In a third illustrative embodiment, a system includes one or moreprivacy vaults, wherein at least one of the one or more privacy vaultsis associated with at least one individual user, stores contentsassociated with the associated at least one individual user, and storesspecific identification of a plurality of third-party entities,authorized to access at least a portion of the contents stored by theone or more privacy vaults, along with access permissions, one or moreof the access permissions defined for each of the plurality ofthird-party entities, at least one of the access permissions definingaccessibility of the contents for at least one of the plurality ofthird-party entities for which the at least one access permission isdefined.

The system additionally includes one or more processors configured toprovide gateway services for accessing contents stored by the one ormore privacy vaults, including handling access requests, for contentsfrom the one or more privacy vaults, wherein an access request, from theat least one third-party entity, is handled in accordance with at leastone of the access permissions defined for the at least one third-partyentity in each of a plurality of target privacy vaults from which the atleast one third party entity requests information, to fulfil the accessrequest for the information from a respective target privacy vaultaccording to the policy defined for the at least one third-party entityby the respective target privacy vault. The one or more processors arefurther configured to provide content gathering services for the atleast one individual user, including tracking user digital actions ofthe at least one individual user, gathering contents generated by thedigital actions, and storing the gathered contents in the at least oneprivacy vault associated with the at least one individual user for whomcontent gathering services were provided.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1C show an illustrative example of non-limiting elements of adata-privacy, data ownership, and user-empowering data marketplacesystem;

FIG. 2 shows an illustrative example of a privacy management platform;

FIG. 3 shows an illustrative example of a logical layout of adata-privacy ecosystem;

FIG. 4 shows an illustrative example of a data management process;

FIG. 5 shows an illustrative example of a data auditing process; and

FIG. 6 shows an illustrative example of a data negotiation process.

DETAILED DESCRIPTION

Embodiments of the present disclosure are described herein. It is to beunderstood, however, that the disclosed embodiments are merely examplesand other embodiments can take various and alternative forms. Thefigures are not necessarily to scale; some features could be exaggeratedor minimized to show details of particular components. Therefore,specific structural and functional details disclosed herein are not tobe interpreted as limiting, but merely as a representative basis forteaching one skilled in the art to variously employ the presentinvention. As those of ordinary skill in the art will understand,various features illustrated and described with reference to any one ofthe figures can be combined with features illustrated in one or moreother figures to produce embodiments that are not explicitly illustratedor described. The combinations of features illustrated providerepresentative embodiments for typical applications. Variouscombinations and modifications of the features consistent with theteachings of this disclosure, however, could be desired for particularapplications or implementations.

In addition to having exemplary processes executed by a first mobile,personal or cloud computing system, in certain embodiments, theexemplary processes may be executed by a second computing system incommunication with the first computing system. Either system mayinclude, but is not limited to, a wireless device (e.g., and withoutlimitation, a mobile phone) or a remote computing system (e.g., andwithout limitation, a server) connected through the wireless device. Incertain embodiments, particular components of either system (oradditional systems) may perform particular portions of a processdepending on the particular implementation of an embodiment or animplementation similar to an embodiment. By way of example and notlimitation, if a process has a step of sending or receiving informationin conjunction with a wireless device, then it is likely that thewireless device is not performing that portion of the process, since thewireless device would not “send and receive” information with itself.One of ordinary skill in the art will understand when it isinappropriate to apply a particular computing system to a givensolution.

Execution of processes may be facilitated through use of one or moreprocessors working alone or in conjunction with each other and executinginstructions stored on various non-transitory storage media, such as,but not limited to, flash memory, programmable memory, hard disk drives,etc. Communication between systems and processes may include use of, forexample, Bluetooth, Wi-Fi, cellular communication, and other suitablewireless and wired communication usable for both short range andlong-range wireless transmission as appropriate for a givenimplementation.

In each of the illustrative embodiments discussed herein, an exemplary,non-limiting example of a process performable by a computing system isshown. With respect to each process, it is possible for the computingsystem executing the process to become, for the limited purpose ofexecuting the process, configured as a special purpose processor toperform the process. All processes need not be performed in theirentirety and are understood to be examples of types of processes thatmay be performed to achieve elements of the invention. Additional stepsmay be added or removed from the exemplary processes as desired and theexamples are intended to illustrate, but not limit, aspects of theproposed embodiments and inventive concepts.

With respect to the illustrative embodiments described in the figuresshowing illustrative process flows, it is noted that a general-purposeprocessor may be temporarily enabled as a special purpose processor forthe purpose of executing some or all of the exemplary methods shown bythese figures. When executing code providing instructions to performsome or all steps of the method, the processor may be temporarilyrepurposed as a special purpose processor, until such time as the methodis completed. In another example, to the extent appropriate, firmwareacting in accordance with a preconfigured processor may cause theprocessor to act as a special purpose processor provided for the purposeof performing the method or some reasonable variation thereof.

The illustrative embodiments, and the like, propose elements of anecosystem for monitoring, understanding, controlling, reclaiming,storing, sharing, purging, and even monetizing a user's personal data,which can be thought of as user personal digital contents of a digitalpersonal data store, digital privacy vault, digital privacy locker,digital privacy data store, etc. Aspects of the illustrativeembodiments, and the like, put knowledge and control back into the handsof the users. Even if users armed with such information choose to sharetheir data and/or exchange the data for some other value, they can nowhave much better understanding of the exchange, and can thus act as aneducated negotiator, deriving something closer to true value in exchangefor their information. While backend websites and software systems maystill gather data and obtain value from user data, the user, armed withknowledge and at least somewhat granular control, if desired, becomescapable of leveling the scales somewhat in terms of the trade-off.Whether or not this results in a perfect exchange of value for a user'spersonal information, such systems, as described by the illustrativeembodiments and the like, may at least allow the user to come muchcloser in obtaining fair value, in addition to providing more choice andcontrol in the matter. Further, the user may know what information isbeing collected and stored by which software and websites, be able todefine what information can be kept by the same, and experienceopportunities to dictate which data is to be expressly removed,including data that may have been exchanged in the past for services nolonger required.

In some instances, users may be able to see what conclusions are beingdrawn or are likely being drawn and based on what data. If theconclusion reveals something about the user that the user would prefernot to be concluded, or something that is simply erroneous, the user maybe able to prevent sharing of some or all data used to reach thatconclusion. Or, the user may only choose to share that data withentities for which the user does not object to the conclusion beingdrawn, and selectively prevent other entities from drawing suchconclusions.

As the control of the data shifts back to the user, merchants andservices may be incentivized to create better value in exchange for theinformation they require. That is, while users may be perceived as being“addicted” to the free services provided in exchange for data,merchants, especially advertisers, are similarly “addicted” to userdata, and often an entire business has been built around the predicatethat it will have somewhat unlimited and unfettered access to data. Lossof data access, to those entities, may be catastrophic, and thus thoseentities may be willing to exchange significant value to keep the datapipeline open. Even when the situation is not so dire for a merchant orservice, virtually every business can benefit from some level of dataanalysis, and so all such beneficiaries may be willing to exchange someportion of that benefit to users in order to obtain the value.

In the modern paradigm that previously existed, businesses that couldgather data without impediment may have obtained certain value from thedata, and the proposed illustrative embodiments may make it possible fora consumer to capture some portion of that value. As long as the portionshared with the user is not equal to the business's original value interms of value-exchange, the business is still benefitting. Andconsumers, who have previously been giving the data away for free, inmany instances, may happily provide something they were alreadyproviding in exchange for additional value that they were not previouslyreceiving.

The proposed illustrative embodiments, and the like, give users muchmore control over their data and allow users to maintain that controland ownership over their data. Further, the users may be able to deriveadditional value from their data, beyond what is already being obtained.That is, for a service that is free, but which provides value, a usermay be happy to share data, but for a service which is being paid for,for example, a user has already traded value for that service, and in aninstance such as that, the user may require additional value in returnfor allowing the service to use the user's data. Even in thefree-service instance, the user may be providing more value than theservice is worth to the user, but only a user can draw this personalconclusion, and they may only be able to draw it when they actuallyunderstand what is being shared or kept, or what conclusions are beingdrawn from their data and how their data is being used.

Another source of value could include access to cross-platform data andinsights. This can be valuable to both a consumer and/or a businessentity. A consumer, for example, may want a comprehensive view of “foodand dining” habits, which can include analysis of data from a wealth ofsources—e.g., search engines, grocery purchases, restaurant visits andorders, viewing habits (e.g., cooking shows), etc. A business may valuethis information as it may paint a much more complete picture of aconsumer than would be available from the limited data typicallyavailable to that business (i.e., the habits of the user as indicated bythe direct interactions with that particular business). Typically, allof these disparate sources of information are difficult to bringtogether, especially with regards to the data pertaining to a singleperson. By providing a consolidated data store, comprehensive data canbe analyzed on behalf of the consumer and/or provided by the consumer inexchange for value. As a more-inclusive viewpoint, this would likely bemore valuable than knowledge of some of the individual elements, andmoreover, a business could provide a fair value for the amalgamation ofthe data that reflects the savings to the business of both the cost andhassle of attempting to build a consumer profile from many discretesources.

FIGS. 1A-1C show an illustrative example of non-limiting elements of adata-privacy, data ownership, and user-empowering data marketplacesystem. Not all elements would be necessary in a given implementation,interactions between elements may vary, and a skilled artisan willrecognize that elements may be added or removed as appropriate for aparticular implementation of all or an aspect of the ecosystem or asimilar ecosystem. Privacy as a Business (PaaB) is a generalized notionrepresenting the idea that a consumer can take possession and ownershipof their personal data and control access, control storage, port thedata, manage the data, market and otherwise derive value from the data,etc., and is not intended to limit the scope of the concepts in anymanner.

The following examples describe illustrative, non-limiting aspects ofthe illustrative ecosystem that, in this example, comprises security101, a personal data store 121, analytics and insights 144, datapreparation 160, data monetization 166 and the ability to interface withthird party applications 136. Aspects of this and similar ecosystemsserve to provide comprehensive data protection, control, andmonetization opportunities for a user/consumer 100.

Security, in this example, includes authorization services 102, whichcan provide authentication 103, authorization 104 and token validation105 for various requests for information or services relating to aconsumer/user's personal data.

Security 101 may also include account management services 110, whichallow the consumer 100 to create accounts 111, modify accounts 112,delete accounts 114 and which includes some verification credentials113. A consumer 100 may request creation of an account to store apersonal data store (PDS) 121 and provide analytics and microservicesrelated to that account. Personal data stores can also be thought of asprivacy data stores, privacy vaults, privacy lockers, etc. The consumermay also, in at least certain embodiments, store additional credentialsassociated with the account, which can be credentials for sources ofpotential data. That is, while it may be possible to simply assert thata data gathering process is acting on behalf of a consumer, someentities that store data may also request further credentials. If thedata gathering service is a trusted party, then such credentialing maynot be necessary, but until a trusted relationship or platform is built,third-party services may be loath to release personal information to anentity purporting to represent the consumer 100.

The consumer 100 may also have one or more data-sharing contracts 107that define data sharing relationships with third-parties. These mayinclude pre-existing relationships that have to be honored (oreventually modified) and/or newly formed sharing relationships. Forexample, a consumer 100 who has been using a service for free, inexchange for sharing data, may have some lingering obligation tocontinue to allow that service to use the data, at least for atime-period or until a legal change obligates the third-party to vacatethe contract or change its terms.

Also, when a consumer seeks to monetize or otherwise use personal dataafter establishing a personal data store 121, the audit process 109 maytrack what data was stored with which entities. Keeping such a record ofdata allows the audit process to more closely check in the future ifdeletion/purge obligations were fulfilled. The audit process may alsotrack what data is stored where when initially building a consumer dataprofile, so that knowledge of pre-existing offboard storage of data ismaintained. This can be useful for future data pulls and if and/when alegal or contractual change to a pre-existing relationship allows fordeletion or modification of the offboard data stored outside the PDS121. That is, the consumer 100 may terminate the service, ending theobligation for sharing, and/or a legal change may allow the consumer tomodify an existing agreement or mandate deletion of certain personaldata from the offboard third-party server. The audit process, if it hasa comprehensive list of what data exists where, whether shared from thePDS or discovered on behalf of the consumer 100, can use such records toperform a fast distribution of instructions to delete, modify or purgedata storage outside the PDS 121.

As part of a privacy and data ecosystem, described in non-limitingexample in the illustrative embodiments, consumers may have personaldata stores (PDS) 121 that represent data storage for an individualconsumer. This data may be aggregated over time through variousingestion processes 122 and may represent the data that would have beengathered and/or may be requested by countless services with which aconsumer (user) may interact. Services may request data on a one-to-onebasis from a consumer (e.g., for the purpose of performing a task onbehalf of the consumer, such as providing an insurance quote) or mayrequest data on a one-to-many basis from a plurality of consumers,(e.g., for the purpose of analyzing data indicative of a group).

Data ingestion 122 may include importation 123 of data from existinguser relationships, such as existing user accounts with other sourcesthat may store user data—e.g., without limitation, social media sites,search engines, paid-subscription sites (e.g., streaming media sites),etc. That is, most users 100 have significant off-site/offboard presentstorage of data, often without their direct knowledge of what is stored.Sources and storages of this data can include, for, example, withoutlimitation, social media sites, on-demand services (rideshares, mediacontent sites, delivery services, etc.), personal and professionalnetworking sites, search engines, email providers, personal fitnesssites, shopping sites, consumer facing sites, and any other entity thathas access to user personal data and stores one or more aspects of thatdata. The data itself, or personal digital contents to be stored in thedigital privacy vault, can include, but is not limited to, date ofbirth, age, gender, name(s), friends, addresses, email addresses,contact information, phone numbers, education (certificates, courses,degrees, skills, etc.), languages spoken or read, employment history,property ownership, spending habits (costs, categories, volumes, etc.),ad click habits, subscriptions, interests (books, games, media, etc.),posts, comments, likes, pages visited (surfing habits), searches, onlineviewing/listening habits (movies, shows, videos, audio, podcasts, etc.),groups, polls, connections, affiliations, biological information,transportation uses, route usages, travel habits, frequent locations,etc. This data represents a useful building point for backfilling a PDS121 and for allowing the audit process 109 to build a record of existingoffboard data storage. Consumers 100 can also add data through pulls ofdata, such as through an API or interface with an application or sitethat allows the consumer 100 to expressly add data or which happens tobe gathering data at any given moment. If the platform is in control ofa consumer's data sharing, after a point, all data requested by athird-party can also be pulled into the platform and saved or discardedin accordance with a given consumer's preferences. Consumer 100 maydictate which data is stored by the PDS, as well as which data isavailable for sharing. As noted above, the consumer may expressly adddata at any time, which can include filling in personal information, forexample, correcting data or explicitly adding any data elements or typesthat the consumer wants to be reflected or stored in their privacyvault.

Ingestion may also receive data 125 from other third-party applications,which can be an alternative form of data-sharing where the third-partyapplication reports what data it gathered and sends a copy of that dataor information about what data was gathered to the ingestion process122. When third-party applications are seeking to build a moretrustworthy relationship with a consumer, they have an added incentiveto provide such information to prove their particular trustworthiness.Moreover, such sharing may be dictated by terms of various smartcontracts 108.

Since the PDS 121 is private and safe, and in the control of theconsumer, storing a larger amount of data may not be as troublesome to aconsumer. Moreover, the more data that is stored, the more opportunitiesthat may exist for a user to monetize their own data. That is, certainaspects of the illustrative examples may allow for presenting offers tousers based on whether a user has data that is of interest to anofferor, or that represents certain demographics. Of course, it may notbe possible to know whether a user qualifies in the absence of data oraccess to an individual's data, so the individual consumer 100 may beable to dictate through policies 126 and contracts 108 what data isshared or willing to be shared and whether the consumer 100 opts to havetheir data 121 used for the purpose of originating offers.

A group of PDSs may also represent an opportunity for cost-savings fortraditional data-holding entities. A company or service could architectits own platform to utilize its users' PDSs as data stores foroperational data. This can result in significant savings in data centersand/or cloud services and effectively make the group of PDSs adecentralized data center.

The user's data would still be protected until an offer is accepted, butcertain users may want to allow their data to be used in exchange forvalue opportunities. Those users could opt-in to value sharing offers,and whenever appropriate, or as permitted by the user, appropriateoffers could be provided to the user. If the user accepted the offer,data could be anonymized, shared, and deleted or stored (by the offeror)based on the terms of the offer. This could allow for, for example,advertisement provision to a user while keeping the data anonymous. But,in the example above, not only would the user still see a “preferredad,” but the source of the ad would have no direct information about towhom the ad was presented and the user also would have received somedirect exchange of value in return for sharing the data (anonymously)that made the targeted nature of the ad possible. In further examples,where the user may receive greater exchange of value in return for lessanonymity of the data, the ad may be personalized based on user data,but again, the user could control the level of anonymity and further theuser would have already received some greater value proposition inexchange for the level of data shared and/or the level of anonymitychosen. For example, a user who elects to share an email address mayreceive a follow up email, but the user could have dictated that onlyone follow up email was permitted, and received some value exchange forsharing that level of information. If more than one email was received,the advertiser would be in violation of the defined policy and could besubjected to restriction as described in more detail below. If the levelof restriction applied to the advertiser's ability to access a largerset of data across many privacy vaults, the advertiser would be unlikelyto risk loss of such value to violate a policy for one user, and sincethe vaults collectively represent a unified source for a vast amount ofdata, there is a significant incentive to follow the defined policies.Further, the revenue from the advertisements themselves could be sharedwith the users, getting them paid both for sharing the data and for anysubsequently generated revenue resulting from presentation orutilization of the advertisement.

On the other hand, some users may be very protective of their data, andmay not want it even queried anonymously for offers. Those users mayalso value their data over the exchange for value, and so in thoseinstances the personal data stores could be kept private unlessexpressly given permission for sharing. Certain services may requirecertain data to function, but at the same time, those users could have ahigh degree of control over what they are sharing, for what that data isused, and for how long it is being kept.

Users may also select sharing policies (also referred to as accesspermissions) 126 for their data, defined for an entire PDS or perhaps ona service-by-service (entity-by-entity) basis. For example, a user mayhave a default sharing policy for unfamiliar or uncommon services, thatshares very limited, anonymous data and inform the user what is beingrequested and returned. On the other hand, a trusted subscriptionservice may receive more data with less transparency, not because theuser necessarily does not want to know, simply because the user alreadyknows what is being shared with that entity and is ok with the sharing.Thus, users can achieve granular control over their data and maintainefficient and unbothersome relationships with trusted entities, while atthe same time having tighter control over what is being shared with lessfamiliar sites and applications. Additionally or alternatively, the usercan define policies for groups of services (e.g., food deliveryservices, banks, etc.).

The illustrative example shown in FIG. 1B shows a four-tier approach tosharing that includes guest 128, private 129, anonymous 130 and open 131as various policies or access permissions that may be applied to eithera given third-party or a record or data element or group. From oneperspective, these policies may dictate the level of access for a giventhird-party, and classifications of the data elements and/or types orgroups of data may determine whether a given element or type of data canpermissibly be requested by the third-party. All relationships may beginat a restrictive tier, such as guest 128, if desired. Of course, thenumber of policies could be one policy, two policies, or any othernumber of policies, and may range from consistent tiered-application toany number of policies varied discretely for each entity or group towhich a given policy applies or is instructed to apply by a user ormanaging entity.

The guest policy 128, in this example, allows certain data to beexchanged as needed, for a present interaction. A policy 126 and/orsmart contract 108 (which can be instantly generated and agreed-to by arequesting entity in order to obtain any data at all) will dictate usageand storage of the data, which in this case is no-storage and limitedusage, with no cookies. The smart contract can represent aninstantaneous and momentary relationship or an ongoing one, pursuant tothe wishes of the consumer and the willingness of the third-party. Evenif the contract is for the purposes of a single interaction, its termsmay be legally binding in terms of the third-party's obligation not touse the data outside the dictates of the contract. While perhaps findingsuch restrictions a bit onerous, third-parties are likely to agree onsome level because they still may want traffic from consumers usingPDSs, especially if PDS usage is adopted at scale. Moreover, thisincreases incentive to provide additional value in order to move thecontract to a less restrictive level, such as private 129.

The private policy 129 may allow for the third-party to retain data, butonly use it on behalf of the consumer 100. This can save on datatransfer time and may even allow for usage of the data in modelingsolutions directly for the consumer but may prevent sale and other usagethat is outside the scope of a service directly on behalf of theconsumer. The smart contract and/or policy may better define what “onbehalf of the consumer” means, so that a third-party cannot allege thattheir use or sale of the data in certain manners indirectly benefittedthe consumer by cheapening services and/or improving general processes.On the other hand, a given entity may ask the consumer for such amodification, which can result to a carve-out in the policy for thegiven third-party or a reduction of the policy to a next lessrestrictive tier, such as anonymous 130. Since the policies can beredefined for given relationships as needed, and terms dictate by smartcontracts 108, even a model that begins with four levels of privacy doesnot need to only ever provide those four levels. Moreover, allowingmodification of contracts may further incentivize third-parties toprovide value for data access, and users can negotiate orpseudo-negotiate term changes.

In one example, there may be an existing paradigm of policy settings andbase smart-contracts that define initial policy tiers 126. Since thesemay be relative fixed as the baseline, individual third-parties canobtain copies of the contracts and propose modifications in exchange forvalue. That is, if the policies are thought of as 1-4 in terms ofrestrictive—open, a company may give X value for a 1.5 contract(somewhere between guest and private) and 3× value for a 3.5 contract(somewhere between anonymous and open). The particular revisions to abase policy sought by the company can be review specifically for thatcompany (by a machine analysis process, for example), so that all usersopting into that company's version of the 1.5 contract or 3.5 contractget the same terms and know what the “new” policy tier represents.Further, there may be multiple “3.5” contracts, which can be thought ofas hybrid contracts, that are different for each third-party modifyingthe contract based on what that party wants, and a user may agree ordisagree with any of them based on whether the offered value issufficient.

Alternatively, the third-party can simply negotiate application of aless aggressive restriction, such as anonymous 130 or open 131.Anonymous may permit data sharing, usage and merging with other data,but only insofar as the data is anonymized first. The audit process 109may require submission of samples to be shared or merged and can usemachine-learning/artificial intelligence (ML/AI) to determine whetherthe data is sufficiently anonymous. Agreements with third-parties maystipulate that they have the same anonymization process once approved,and regular audits may confirm whether they are holding true to theirword. The open policy 131 may simply allow for the use of data in anopen manner as the third-party desires.

The platform may also alert a user about the dangers of policies such as“open” and may suggest that certain restrictions still be applied tocertain data. That is, different data may also have metadata associatedtherewith dictating, for example, policies that apply or can neverapply. For example, a user's driver's license number may only bepermissibly shared under a guest or private policy, and even then withadditional restrictions attached thereto. Groups of data that can beused to steal a user's identity may have recommendations and baselinerestrictive sharing policies applied thereto, so that even if a useragrees to, for example, an open policy 131 with a third-party, accessrequests from the third-party for some data will still be denied.Moreover, users may even be obligated to expressly sign agreementsindicating they are aware of the risks of sharing certain data each timethey designate an entity to receive the highly sensitive data, just toprotect the platform manager. Heavy handed alert and caution languagecan help prevent users from inadvertently sharing very sensitive data.

While it may be the case that so many data requests come from a sitethat it is impractical to literally inform the user of every request,even under the most restrictive policy, the policy may alternativelyprovide the user with a generalization of what is being requested. Therequests may still be machine filtered as well, so that if the nature ofthe request changes, the user can be informed, but the user may find itacceptable to know the general nature of the data as opposed to havingto approve every single request from a given application or site. Userscould even see, for example, a browser symbol or score associated with asite as it is being browsed, to indicate the present level of sharingand/or present policy level associated with the site. This could serveas an assurance that an agreement is in place and that the site is incompliance. Non-compliant sites may fail to show the policy and/orresult in some error in a plugin that was supposed to provide the policyscore. An aggressive such plugin, were it the case that sites werespoofing policy scores, could work in conjunction with a rolling codeauthorization, wherein a user could use an application on their phone,for example, to verify a rolling code also displayed with the score, andonly the specific user with the phone and the connection to the specificuser's PDS could verify that the rolling code was correct for the user.Other secondary proof-of-score measures could also be implemented toprevent spoofing verification of a policy being in place and/or anoverall score or value of the policy. Generally speaking, this allows aconsumer to take a privacy-first approach to use of their data,controlling access but obtaining both direct value (remuneration) andimplicit value (targeted information) based on their personal sharingpreferences. Moreover, the nature of such value in both instances can beincreased, as a central repository for all consumer personal contentscan provide some assurances of deduplication and consolidation of datapoints, as well as present a sufficient incentive for third parties toplay by the rules defined for them by a given consumer. Personal digitalcontents can continue to be gathered and saved to preserve the continualevolution of a consumer's information, but in a secure and controlledmanner that assists in preventing usage of that information for anypurpose other than what is preferred by the consumer.

Policies can be defined on a per-site, per-application basis, and mayevolve over time. As software becomes smarter and better, policies mayprovide more detailed granularity of control. As a relationship with awebsite or application develops and matures, the user may also have thepolicy evolve to either share more data or at least share the requesteddata without user notification. Since users have selectable options forcontrolling policies, the choice can be left up to the user. Artificialintelligence software may aid in the application of policies as well,allowing for a more complicated default scheme or configuration whereina user has some general preferences defined (e.g., by a survey or pastbehavior) and the AI attempts to match new third-parties based oncontext or other factors. Users can be asked to confirm the applicationof policies and be presented with the “reasoning” used by the AI, andover time, through machine learning, the AI can evolve to apply thedefault or hybrid versions of policies to new third-party entities in amanner that is consistent with a consumer's reflected wishes. Thus,there need not only be a single default policy, but default policyapplication can be automatically determined based on a configurationdefining which default policies should be applied to which entities(specifically, by type, etc.).

For example, one user may set that when a set or application has beenused 100 times, the policy can stop notifying the user when data isrequested. Another user may set that when a user has confirmed a datarequest 3 times, requests of that nature from that site no longer needconfirmation. Still another user may require that certain data is onlyshared with specific sites, and request denial of all requests for thatdata from every other site or application.

As an alternative to policy setting, which may be a complex task,depending on how granular the control and how many options exist, a usermay instead be given a quiz or survey. With a carefully crafted seriesof questions, personalized privacy settings can be derived or closelyapproximated. Once complete, the user could be provided with an overviewof the recommended settings so that fine tuning could be performed ifthe user is not entirely happy with the results.

Access to data, in accordance with all or some of the user policies,depending on a given implementation, could be governed in real-time atleast with regards to some data requests. If a company requires data, orcertain data, a push notification can be sent to a user device and, ifdesired, authentication controls along with active response consent canbe used to acquiesce to or deny the request. So, for example, a requestfor atypical data, or certain flagged data or data of a given privacylevel, may result in a push notification to a predefined device for userpermission (and authentication, e.g., biometrics or PIN) if desired.This active-consent policy could also be applied to data flagged by theplatform as valuable or sensitive—i.e., even if the user does not knowthat certain data is highly valuable or sensitive, the platform candetermine the value or possible nefarious uses for certain data andnotify the user via push notification, which can include more than asimple request for permission and may indicate any useful informationabout the value and/or sensitivity of the requested data. This can allowa user to better determine whether to share the data and whether anyproffered value in exchange for the data is worth the sharing (based onthe estimated value) and/or any risk associated with the sharing.

Policies can also define data retention for certain sites andapplications. While it may be impossible to “force” a site to deletedata, legal changes may require the sites and applications to complywith user instructions. Thus, the user can define what data may bestored and what data should be deleted 132, and the site or applicationmay be legally obligated to comply. Once the user knows what informationis being shared and what information is proposed for storage, the userwill be able to decide which information should be removed afteragreed-upon use. This can be defined as part of a policy tier and/or forindividual websites or applications and/or tracked by the audit process109.

Deletion policies 132 relate to both external storage 133 and internalstorage 134 (in the PDS). Some data is so sensitive to users they maynot want it stored anywhere (e.g., a social security number), and yet itmay be periodically necessary to share this information. The auditprocess 109 can still keep a record of the fact that such data wasshared (e.g., a placeholder such as “SSN shared with 000.111.000.111 at10:11 PM on 1/1/21”) without actually storing the data itself. This isuseful for auditing and evidence that while the data was shared, it wasalso supposed to be deleted, and an entity that fails to do so will notbe able to deny that the information was shared under a restrictiveagreement. Partial deletion is also possible 135, which can be, forexample, deleting the first five numbers of an SSN or deleting anaddress associated with a location, so that only certain aspects ofsensitive data even exist in any form of long-term storage. This may beuseful when the data is both sensitive and easily recreatable by theconsumer 100 (e.g., a full SSN or a full address).

Third-party sites and applications 136 may access, use, retain and sharedata from the PDS in accordance with permissions provided to themdirectly or in general by a user. Some such entities may share 137 datawith the PDS, and that data can represent data gathered about a consumer100 or even inferences drawn about a consumer 100, if the third-partywants to build a strong relationship with the consumer. For example, athird-party may want to “prove” that inferences are useful to aconsumer, in order to obtain a less restrictive policy, and thereforemay share the inferences based on a sample set of data about thatconsumer. If the consumer likes the inferences and finds thembeneficial, the consumer may agree to a less restrictive policy. Theconsumer benefits doubly from such sharing because the inference can beused as training for ML processes on the platform that provideadditional insight about the consumer based on aggregated stored data.It may be required for the third-party to agree to such training, or theplatform may require that aspect of the relationship in order for thethird-party to use it in the first place. Policies may evolve and bemodified over time and real-time permissioning and access can begoverned by data access agreements that, among other things, defineobtainment/procurement of personal digital contents from a privacyvault, define permissible usages of such personal digital content, anddefine retention of any obtained content, in terms of, for example,scope and duration, among other things. Parameters may be known by thethird party requesting the contents access and/or may be conveyed inconjunction with any conveyed personal digital contents.

Third-parties 136 may also be able to pull permissible data 138, usingan API, for example. The data (as discussed later) may be standardizedand therefore accessible through standardized requests that identifyelements, types, etc. of data to be pulled for one or more consumers100. The requested data may be received 139 and used in accordance witha permission granted that party, and then deleted 140 or not deleted inaccordance with the policy.

Once data in in the hands of the consumer the data may also be monetized167 by the consumer as the consumer desires. A gateway, discussed morebelow, may provide offers to the consumer in accordance with a givenconsumer's desire to monetize their data. One consumer may elect toshare the minimum necessary amount of data for any service and save itfor the minimum amount of necessary time, and another consumer may bewilling to share virtually anything and have it stored for virtually anyamount of time, for the proper price.

Consumers may be able to sell their data even to sites or applicationswith which they do not interact. For example, a new business may needinformation about the food shopping habits of 20,000 people aged 24-29within 10 miles of a city center. This crafted data request can bematched to the personal data stores of any number of correctdemographics, e.g., based on someone's age, location and whether thereis sufficient shareable shopping data in their PDS. Anyone meeting thecriteria could be provided an offer for their data, and the first 20,000respondents would receive the offer exchange. That allows for sale ofhighly targeted data, by the users, shifting that value away from themerchants who sold the users the food, for example, and to the usersthemselves.

In another example, the purchaser may only want the data if at least15,000 samples can be obtained, so users could opt into a group forsharing, and if the group pool filled with sufficient data, the valueexchange would occur. Otherwise, the data would remain secure with theuser. Some purchasers may require storage of the data, others may allowindividual users to define deletion policies, so even users withdifferent deletion protocols may be able to participate in the sameoffers.

Because the platform may have access to the data of a large segment of apopulation (e.g., within a locality), or a “population” of certaindemographics, businesses could receive access to the data of thatpopulation, subject to constraints imposed by participating consumers.The platform could additionally or alternatively provide insights, againconstrained by the individual users. In either case, the individualswhose data was used could be anonymized and receive direct value for useof the data. This provides alternative monetization options when thedata of an individual is less or differently useful than the data of agroup or population. By allowing the PDS owners to band together tooffer data about their group (e.g., via opt-in and exchange for variousvalues), additional sources of data monetization can occur, and a userhas assurances that their data is only used in a prescribed manner andis suitably anonymized. At the same time, the ability to provide thesegroup insights can drive more businesses to use the PDS platform as apreferred source for data and help extract fair value for thedata/insights.

A given third-party 136 may define an offer for data that is received bythe incentive process 168. The process may audit the offer forappropriateness and may even provide a smart-estimate of value for theoffer—e.g., most third-parties offer X value, but this third-party isonly offering ½ value. Offers considered to be “too unfair” could evenbe automatically rejected, if desired. Alternatively, consumers could begiven a relative-value score for the offer, showing how comparable theoffer is to similar requests for similar data. This helps keep theconsumer informed about whether an offer is reasonable or needs to berethought by the third-party. The same information could be conveyedback to the third-party as well, to encourage them to revise theiroffer.

Consumers could also see a score relative to other offers they havepersonally accepted. This can help standardize offers that may come indifferent forms (in terms of value offered) and allow the consumer 100to know if the offer is of the sort they historically accept. Consumerhistory could even inform this process, since the PDS may know howfrequent ordering or service interaction occurs. That is, a 3% discountfrom a service used daily may be significant over time, and even betterthan a 10% discount on a service used once a year.

Offers can include monetary offers 172 or be converted to approximatemonetary value if they take the form of discounts 171, rewards(including rewards points), or cryptocurrency. If discounts and/orcryptocurrency are saleable, as discussed herein, the present value ofsuch a discount on an open market could be used as the basis. Theprocess could also calculate an expected value to a user based on usage,and a present value if the user sold the discount. As discussed later,sale of a discount may also require the purchaser to opt-in to the samedata sharing provision that generated the discount, at least for thepurposes of use of the discount. This is not a bad deal for anyoneinvolved though, as it allows for additional data gathering (thethird-party gets certain data for providing the discount, and other dataabout another person when it is used) and allows both consumers toderive value from the discount. third-parties may also be able todictate whether a discount is saleable and under what terms.

Incentives are received 169 in exchange for the data (a direct paymentor a right that is singly or continually usable, e.g., a discount, forexample). The incentives can be spent 170 in accordance with usage of agiven site or application, and the PDS can track all applicable andusable incentives and allow for application of an incentive and/orreplacement of currency with stored currency when appropriate—e.g., if aproduct costs $10, the PDS can replace $2.50 of the cost with “PDScurrency” that is effectively money stored on behalf of the consumer 100from prior offer acceptances.

Consumers who elect to exchange their data for value may not want to belimited to the offers that correspond to the services they elect to use.For example, a user who shares information with a food-delivery servicemay receive a discount on the service for a certain level ofinformation. The user may eschew discounts below 10% and always acceptdiscounts above 15% for any data offer, and modeling (using the user'sown data), may provide opportunities to present additional offers above15% for services that may also be of interest, in exchange for data. Theuser could turn this off at any time, so as not to be overwhelmed.

On the other hand, the user may not want any of those services that theuser is not already using, and so the gateway may conclude that value ofapproximately $7 is obtained for each data share of a certain level.Instead of providing discounts, or in addition to providing discounts,the gateway may provide offers that offer $7 in actual value (e.g.,cash) in exchange for the data. Tokens, crypto currency, or other valuemay also be exchanged, a redeemable point system may even be used, forexample, wherein offerors by cryptocurrency or points from a commonpool, and reward consumers with those coins or points in exchange fordata. Consumers can then use the gateway to spend the coins or points inexchange for goods, services, discounts or even change them for cash.

Users may also be shown data snapshots about what is being gathered andby whom through analytics insights 144. Data can be displayed in anyreasonable format and per-site, per-category, per-day, etc. For example,one perspective may show a treemap or other construct that shows howmany times each element of data was gathered by any site, or any site ofa certain type, etc. Each box in the graph may show the relative amountof asks for the data relative to the other types of data.

Another graph may show each website and application, relative to eachother, based on volume of requests. This could allow a user to see whichapplications and sites gather the most data about the user. The datacould also be shown as requests per time unit, for example, to normalizethe data, in case a user spending far more time on a given website wascausing apparently excessive data requests.

Correlations of data, forms of displaying information, statistics aboutthe data, analytics, etc. are all examples of what a user can be shownabout their own data. Any reasonable format for presentation could beused, and the data about gathering and usage may be exportable for theuser to interpolate using their own analytics process.

Analytics, accessible through a direct link to a PDS or a consumergateway to their PDS, may show a consumer what might be concluded fromtheir data. By approximating merchant inference models 145, oradvertiser inference models, the gateway can demonstrate the conclusionsthat are likely being drawn, and even provide indications of what datais driving the conclusion. Such analytics (when run by third-parties)may not always be a great result for the consumer, for example, if aperson is shopping for a gift for a spouse or a trip for the family, alater-user may receive advertisements for the same gift or trip,revealing a surprise. By allowing the user to see what ads andconclusions may occur, the user may elect not to share data that mightresult in such conclusions and, in the examples above, advertisementsthat would ruin a surprise.

Analytics may also provide a user with spending and browsing trends, sothe user can better self-categorize their own behavior, as well asunderstand what computer-driven models might think of them based ontheir data. This may also help certain consumers conclude they arespending too much time or resources on certain sites or things and willallow consumers to benefit from their own data conclusions. Analyticscan come from the platform owner and/or third-party sources who aregiven permission to access the data. Analytics may also be derived froma combination of the preceding or, for example, the logic for theanalytics may come from a first source (e.g., the platform) and ananalysis and presentation of the results, along with any accompanyingrecommendations, may come from a second source (e.g., a third-partyapplication).

Some entities 146 may share direct insight engines with the platform,allowing for accurate modeling in accordance with the given entity. Thatis, if an entity purports to provide value-added analytics based onconsumer data, the entity may actually want to share the conclusionprocesses so the consumer can confirm that the insights have value, andthat alone may incentivize the consumer to share data with that entity.Other library elements may be approximations of what an entity isconcluding and may be defined for a specific entity as an approximationor defined for a class of entities as what those entities typicallyattempt to glean.

More comprehensive backend models and newly generated backend models mayalso exist 147. Natural language processing models 148, 149 may betrained using labeled or unlabeled data and should improve over time.Other ML models 150 may also be trained using consumer data, withpermission. These models can be attempts to either match or improveinsight models observed by others and/or may be initially trained basedon data gathered by others. For example, if food delivery services startasking for a user's streaming video viewing data, but will not share amodel, attempts can be made to determine correlations between the newlyrequested data and the type of service -e.g., does viewing an add orcertain content result in certain food orders. These models are notnecessarily designed for the purpose of delivering ads to a consumer,but rather to inform the consumer about what is projected to bedetermined by sharing certain types of data. Once the model is refined,it can presumably show the consumer more or less exactly what is beingdetermined and what the likely result is. Some people may not mind theresult, as they may actually want French food after viewing contentabout France, but other people may consider this to be manipulative andprefer not to share the data.

A suite of further microservices 151 may also be provided to theconsumer 100. This can include some basic metrics about data 152, suchas statistics about site usage, data sharing, and relativestatistics—e.g., how much the consumer shares relative to anyone orrelative to a demographic to which the consumer belongs or does notbelong. The consumer could presumably select the baseline set forcomparison as well, from a list of available baselines. A consumer whoconsiders themselves to be a luddite with regards to data sharing maywant to know how much data they are sharing relative to a savvierdemographic, for example. A consumer who considers themselves to be wisemay want to know how much and/or what types of data they are sharingrelative to a potentially wiser, comparable, or potentially less-wise orless-careful demographic. Parents may want to know if their child issharing a reasonable amount of data relative to their child's peers.

Data can be viewed by category 153 as well, showing how much or whatdata is shared relative to a category. Categories can include, forexample, types of data, types of services, sensitivity of data (e.g.,data pre-classified as sensitive or less-sensitive), etc.

A timeline view 154 can show data sharing as instances (specifics),categories or general volume over time. This can help a consumer modelbehavior to demonstrate improvement over data sharing as time passes.Alternative concepts of a timeline can show high-points of sharing orspend/service-interaction, e.g., spend and service interaction aroundbirthdays and holidays.

A data-shared view 155 can be another version of metrics 152 orspecifics about what data is shared. This could also be a chart (ascould any herein) that could be stepped-through, so that the primarychart could be a pie-chart, for example, and then instances could bestepped-through to see a sub-chart or the underlying information.

How is it used view 156 could show the consumer 100 how data is known orguessed to be used by various entities. This could be shown for a givenentity, a class of entities or as a treemap, for example, showingrelative uses of data (e.g., advertising generation vs. accountinteraction vs. order handling vs. etc.). Again, stepping through thedata could show underlying services to which a category relates (typesof ads, types of purchases, etc.). Consumers may seek to minimizecertain portions of the chart.

Here, and elsewhere, the platform may offer tips and services designedto change outcomes. A consumer may be on a diet and may not want “fatty”food advertisements to pop up. The platform can help understand whichdata-sharing agreements and services are likely to result in theseadvertisements and help the consumer change policies and agreements toprevent such advertising. A parent may not want a child viewing toyadvertisements, and the platform can help mask data that would result insuch advertisements or interactions with vendors or third-parties likelyto provide such information.

A psychometric profile 157 may help a person understand their ownbehaviors and/or likelihoods that, whether true or not, may be theperceptions that others have when viewing their data. Psychometricprofiles can be generated on a per-type or per-3^(rd)-party basis aswell and may generally tell a consumer what the third-party or class ofthird-parties likely thinks about the consumer based on the data.Interests 158 and other insights 159 may further help a personself-evaluate or even simply reveal how others may view them, whenlooking at data snapshots. Data itself can also be used to providereal-time services, such as behavior-based pricing services (e.g.,telematics-based insurance quotes without requiring a dongle) and carbonfootprint analysis. In the latter instance, for example, it may bepossible to obtain a very comprehensive carbon footprint map based on,for example, user shopping, travel, delivery (boxes, weights),transportation-choice, power usage, etc. habits, all of which could becollected and stored securely in a privacy vault. As the data grows morecomprehensive, spot-information (e.g., carbon usage of a powered-productper hour of use) could be provided to a consumer. For a verycarbon-aware consumer, a separate application could execute as a webplug-in and, for example, provide estimated carbon usage associated withany product on a site such as, for example, AMAZON. That data can drawfrom existing habits and aggregate carbon usage and indicate, forexample, whether the product matches those generally preferred by theconsumer based on historical data, as well as what impact on an annualcarbon footprint the product may have. This could all be presentedreal-time in conjunction with anything being contemplated for purchase.

FIG. 2 . shows an illustrative privacy management platform. A layer ofbusiness partners may reside outside the platform and may representthird-parties that have various access permissions dictated by thegateway and/or by individual consumers 100. These can include thegateway provider 229 as well as social media sites 231, applications233, marketplaces 235 and other sites.

The platform providing Privacy as a Business 200 can function as agateway between the business partners and the consumer 100. An API 203allows for defined interaction with consistent results, consistentfunction calls and consistent expected returned values (e.g., back to arequestor).

The platform 200 may also provide an interface 205 for the consumer 100,through which the consumer 100 may view the data 201 that was gatheredfrom either existing offboard data storage or ongoing relationships thatoccur while the platform is managing the relationships. Accordingly, toprotect the user and the data, the platform 200 may also provide robustsecurity 207 against both nefarious login and external third-partyintrusion.

The platform 200 may include cloud-based or backend PDSs 215 and dataexchange processes 217 as described herein, allowing for users toexchange data between third-parties under various paradigms. Analytics211 and insights 213 help users understand their own behavior, trends,what is being shared and how it is being used. Account management 209may include user permissions, data management, policy management, andcredentials for the platform or other data sources.

Separate backend data storage or portable data storage (e.g., solely inthe control of the user or in the control of the user with highly-secureredundancy on the cloud) may include a wallet 223, a portable PDS 225and a portable value store 227. A single consumer may choose to havemultiple different personal data stores for different purposes. Forexample, this could include a highly secure Personal Vault (withzero-knowledge architecture, advanced cryptography, etc.) for passwords,SSN, credit card numbers; a highly scalable and available Personal Cloudfor real time read/write of operational data with all participatingservices (e.g. checking your service order history, checking yourservice delivery status, etc.); a Personal Archive for lower coststorage of data that is not required for real time operational use; aPersonal Ledger for writing only the most important transactions to theblock chain; and etc. Each of these PDSs may address a differentcombination of convenience, security, privacy, scalability,availability, cost, etc. that could match different use cases, and theseare illustrative examples as it is appreciated that other variants onthis multiple-PDS theme could also exist. The “wallet” may store paymentmethods and collect value (e.g., money or offers from businesses,exchanged for data, for example). The wallet may include digital ledgertechnology and provide transactional service in existing currency andvirtual currency, for example, and may represent one form of PDS and/oran interaction services that interacts with one or more PDSs.

The portable PDS may allow the user to port and control some or all oftheir own data in a manner disconnect from the cloud. It could be syncedacross devices with user permission, periodically synced, and differentdevices may have different synchronization and storage permissions, sothat, for example, a portable device may never store sensitive data evenif it stores a copy of other PDS data. A highly secure redundancy mayexist in the cloud in the case of catastrophic loss of a user's syncedsystems (e.g., a fire that consumes all devices). The redundant systemmay be outside the reach of the platform 200 and only usable as a backupto restore information to a newly approved device in possession of theuser, for example.

A portable value store 227 may allow the user to port obtained value(money or discounts) and use the value on-the-go or even at a live site(e.g., a merchant brick and mortar). This may add additional value tothe exchanged value, as it permits more expansive usage and does notlock the value to an online exchange. If there was a predicate for use,such as sharing data, using the value as a live currency or discount mayresult in a data-sharing instruction or require an on-site exchange ofcertain data stored in a portable PDS, for example.

PDSs may act as a data repository and reclamation point. As the gatewayacts to assemble a profile of all the information stored about a givenuser, the user may want to recover their personal data from some sites.Certain sites may be willing to give the data back, other sites maysimply agree to delete the data. Whether a consumer is entitled to seewhat data is stored by a given site will likely be a matter of contractand/or law. Sites may not want to show the full extent of data storedbecause it could reveal proprietary information about their algorithms,or it may just be embarrassing how much information they are storing. Acontract with a consumer (e.g., a one-click license) may dictate whetherthe site has an obligation to share this information. Legal changes mayoverride this, but presently some sites may be able to avoid sharing thescope and nature of information gathered and may simply instead agree todelete it.

In either event, as the gateway does get information from certain sites,it can build a mirrored data store in the PDS. As the data is reclaimedor mirrored, purging of some or all of the data may be requested. ThePDS may also track browser history as a user browses and may contacteach visited site on behalf of the user to determine what is/was storedand to dictate removal in accordance with user preferences.

Certain terms of service (ToS) may require a user to allow data sharingwith an entity. But, when the user no longer uses the service, the usermay often forget to cancel the account, and even when the account iscancelled, the provider may maintain the user data. If the provider wasobligated to delete the data, but the user still wanted the service, theprovider may be able to agree with the user to keep the data in exchangefor continued service. Once the user no longer wants the service, underthe forced-deletion model, the user may be able to request deletion andthe provider may be legally obligated to comply. Deletions can bescheduled or suggested based on frequency of contact with a service.

Deletions can also be scheduled to occur regularly with regards tocertain data. If the PDS and/or gateway knows what data was shared withwhich sites, it will know what data those sites may hold. Thus, it issimple enough to schedule deletion of this data, knowing the site hasit. The site may also have ToS requiring non-deletion to maintain arelationship, and so the gateway may have a list of the common ToS andmay be able to inform consumers if deletion may result in loss ofcertain services. Websites may also inform the gateway about impact ofdeletion in response to receiving a deletion request, and the gatewaymay pass these messages along to the consumer as well. The gateway canalso help manage “data exhaust” for the consumer. If the platformobserves that the consumer is throwing off excessive oranalytically-excessive amounts of data, or if the consumer simplyrequests a reduction, the platform can use analytics to study existingrelationships and recommend policy changes.

For example, a change for a website to a more restrictive policy mayresult in no loss of services to the website. The gateway/platform mayobserve that other users use similar services from the site with a morerestrictive policy, and the consumer is thus simply giving awayinformation in exchange for no additional value. The platform couldautomatically switch the policy or recommend the policy switch. Inanother example, the current level of sharing could entitle the consumerto a level of services the consumer never uses, or a discount could havebeen obtained and never once applied. The platform could inform theconsumer of these instances and the consumer could decide if the morerestrictive policy made more sense, given the lack of use of the benefitrelated to the less restrictive policy. Policy changing could occur inaccordance with user settings as well, such as an automatic reversion ifthe benefit is not used within a certain timespan.

The PDS may also include data creation and storage aspects. Aspreviously noted, certain consumers, who want to share their data and/orsell their data, may desire extensive data repositories in their PDS tomaximize monetization offers. Other users may want to limit the data tothat which is expressly required by the sites they frequent andapplications they use. Users can instruct gathering and storage ofcertain data types and/or certain data, and could even request, forexample—data/types commonly required by services offering more than $10in value in exchange for the data. A request such as this could allowthe user to pseudo-specify parameters for a high-value PDS.

As the system reclaims user data, it can also determine what sorts ofdata are gathered by what sorts of sites and applications. That is, thedata recovery itself is an opportunity to train a given PDS as to whatto gather and retain, and/or to train a gateway system that can pass theknowledge about what to gather and retain along to millions of PDS's.This is not sharing of personal data—it is simply engineering datagathering plans based on observed gathered data. This may requiremomentary viewing of the data to classify it, but the gateway itselfcould offer some value for this opportunity to improve its own datagathering algorithms. Alternatively, participants may agree to such datausage as it does not relate to storage of personal information and itwill collectively improve every participant's ability to collectreplicas of the data that sites and applications were previouslycollecting.

Data collected in such a manner may be gathered based on groupcollection observations, individual collection observations related tothat user, and based on modeling for demographic groups into which auser fits, especially if the user wants to expand the store ofpotentially useful information in the PDS. For example, a user's PDS (ora gateway or other application acting on behalf of the PDS) may gatherinformation based on the fact that the user interacts with sites A, Band C, which gather first information. Crowdsourced modeling may alsoreveal five other types of data commonly gathered by other sites, butperhaps not gathered by A, B or C, and so the PDS may also store thissecond information on behalf of the user. The gateway or PDS managementsystem may also observe that the user fits into six demographic groupsfor which sites and applications may provide substantial yields ofvalue-for-data, and the information typically requested for those groups(e.g., shopping habits, travel habits, etc.) may represent third datathat is also gathered. This expansive data gathering may not occur forall users but may be relevant for certain users who are attempting tomaximize the resaleable (or shareable/exchangeable) value for date fromtheir PDS.

Additionally, a gateway acting on behalf of the PDS can homogenize thedata, placing it in a common format easily processable bymachine-learning algorithms. Data labeling, categorization, formatting,and other techniques can provide the data in a much more usable formatthan if the data were obtained from several disconnected point sources.Thus, purchasers may actually find more value in the same data whenobtained from PDSs through the gateway, since the data may have beenpreprocessed into a standardized format, and presorted and labeledrendering it more immediately useful for analysis and categorization.

The gateway may also deduplicate the data, rendering a consolidation ofdata and allowing a purchaser to more closely determine how much uniquedata they will be receiving in exchange for value. That is, if the datawas obtained from disparate sources, the data may represent significantoverlay of the same facts. This may not even be discernable from thedata, if the purchaser bought data about 100,000 people in a city fromthree separate data brokers, each site may have very similar data and itcould be difficult to determine which data was duplicated or triplicatedand thus may significantly throw off results. This is especially true ifthere is no way to ensure that the data is about the same 100,000 peoplefrom each broker.

That is, data from all three sets may indicate that 65,000 people eatfast food once a month, but those could be the same 65,000 people in allsets. At the same time, data from each set may indicate that 33,000people eat at sit-down restaurants, but that data could be 33,000different people in each set, so collectively it would representinformation about 99,000 people. Or it could be the same 33,000 people.Without personal information, which may often be excluded even when datais obtained in present form, this disparity may be impossible todetermine Statistical modeling may be used to make some assumptions,which may render the observations generally valid over a large number ofdata sets, but for an individual entity it can be a very hit-or-missenterprise.

On the other hand, if the data was from a single source and generallycomplete and deduplicated, the purchaser could “know” that the datapoints represented single non-overlapping data observations and soanalysis could proceed with much greater confidence.

To access the data, requests can be in the form of a standardizedrequest, which could resemble an API. Forms and other search formatscould also be used—for example, a purchaser could browse categories ofdata and/or demographics and see how many data points correlated to agiven formatted query. Dynamic queries may also be used, allowing apurchaser to craft a query string and determine how many data points areavailable for the given string, which may allow them to decide how muchdata they want to “purchase” and what price they will pay individuals orin the aggregate. Again, the price paid is not always in monetary terms,it can be in the form of discounts, cryptocurrency, points, etc. Apurchaser may offer the greatest value in terms of discount, but stilloffer a cash or coin alternative if users did not want the discount.This allows purchasers to maximize data purchasing opportunities andallows users to choose the desired format for remuneration.

Common formatting allows for standardized requests and standardizedresponses, allowing for fast querying of data once the formatting isknown, without a purchaser having to navigate and negotiate with variedplatforms. This can also allow for software to easily interact with PDSsand the gateway, opening the opportunity for applications to be built ontop of a user's own PDS. Similar to the gateway, the user may giveaccess to their own PDS for an application that provides insights forthe user's own benefit. With common formatting and a common source fordata, these applications do not need to adapt to hundreds or thousandsof possible data stores and source formatting and can much more easilyprovide valuable insights on a consumer's own data for a consumer usingsuch an application.

If there is a gateway application residing on top of the PDSs, it mayhave additional business-facing aspects. Much of the prior discussionhas focused on consumer-facing aspects, but it is businesses that relyon the data and the businesses that will provide any desiredvalue-exchange for the data. This may include a number of standard termsof service agreements for businesses that reflect the various datagathering and retention policies of the gateway users. That is, prior tolegal requirements that data be under the complete control of theconsumer, a common gateway providing access to millions of data pointsin a consolidated and homogenized manner may be a valuable enoughresource that the gateway can at least somewhat dictate some mandatoryToS in exchange for access. While it may be difficult to legally policecompliance, the gateway may require regular audits of random accountsand other techniques to ensure compliance. The ToS may further imposesignificant monetary penalty for non-compliance, and/or removal ofaccess to the resources of the gateway, and so draconian, enforceablepenalties may encourage compliance even in the absence of expresslegislation.

To entice businesses into using the data available through the gatewayfrom willing users, the gateway may provide a browsable interfaceallowing users to see the consolidated volumes of data available, evenif the contents are generally restricted. Since the gateway may also beable, with permission, to model various demographic groups representedby the collective PDSs, the gateway may also be able to use thisinformation to entice purchasers or entice increased value bydemonstrating the various demographic groups that can be achieved atscale through combinations of different PDSs whose users are willing toexchange data for value.

Also, to the extent permitted and possible, the gateway may havesignificant observation about what data certain types of servicesconsider to be important, and so a new service in a class could actually“ask” the gateway what information it should be considering. Forexample, the gateway may observe that fast food restaurants often wantX, Y and Z information about consumers. A new fast-food restaurant maynot appreciate this but could be informed by the gateway as to whichinformation it should be seeking. Depending on how the gateway derivedthis conclusion, it may or may not be permitted to share theseobservations, but when permissible, this can be a powerful enticementfor a new business to engage in value exchange with gateway users, asthe determinations about which data to gather could also be provided.

In still a further example, users may be able to offer up their data fora certain price. This could even be tiered by rarity of a demographic.For example, a commonly occurring demographic may command a lower pricefor the data for that demographic, but a user representing a raredemographic that might be of particular use to a business could commandmore for the data because there simply may not be that much informationavailable on that group. So, while the fact that someone is age 24-29may command a low price for general information about people from thatgroup, the fact that the person skateboards and travels frequently maybe useful information for a company looking to build destinationskateparks. That may be a much more limited size group of people and, asthe essential target audience for the business, that information may bealmost necessary to build that business and so may command a highervalue.

Because of the large possible sets of demographics, as user may notalways even know their own demographics, but they could set pricingbased on rarity of possible demographics into which they fit. Apurchaser crafting a custom demographic could bid based on the rarity ofthe data (e.g., there may only be 5,000 total distinct users in a highlytargeted group, as opposed to 5,000,000 in a broad group) and theindividual profiles would allow the users to opt in or outautomatically. The user could set a preferred price (e.g., apreferential opt-in point) and/or a lowest acceptable minimum. A biddercould offer first value and be told how many users are “in.” The usermay also be told how many users would be in if they raised the price tocertain preferred prices. Users would be incentivized to keep theirpricing close to the group to avoid being left out for being tooexpensive.

The gateway could pool users to create a collective offer and distributevalue pro-rata based on participant indicated pricing. In this model,the purchaser could define a size of results wanted and simply be toldhow much it would cost to purchase the data of that size. The prices peruser may vary, but the aggregate is how much for which all users arewilling to collectively sell their data. Preferred pricing can bedefined in the form of currency, crypto currency, points, discounts,etc.

Businesses may submit offers to the gateway in exchange for data. Theseoffers could be presented as part of a normal business transaction or asone-off or continual opportunities, even for people who do not use thebusiness. For example, a first service may only be interested on dataabout people who already use their service, and so may offer onlydiscounts and only to customers. The gateway could include anapplication or plug-in that launched when certain sites were visited orapplications were used, which would launch a version of the site orapplication that included data sharing in exchange for value options.E.g., a customer could login under option A, which shared no data otherthan that absolutely necessary to complete a transaction, provided nodiscount, and resulted in no long-term storage. Option B may provide aone-time discount in exchange for a certain level of data, to beretained for no longer than one week. Option C may provide an ongoingdiscount for the right to collect certain data weekly and store it foras long as option C's discount was still applicable.

A different site may simply want data from any source and may offereither discounts or cash depending on who is providing the data and/orwhich form of value they prefer. A regular user of services of the sitemay still prefer discounts, as they may be worth more than cash, butother non-users may still provide valuable data about habits and mayprefer value other than discounts. With permission, discounts may alsobe theoretically saleable—wherein user A could sell their discount touser B (e.g., 10% off of an order up to $100), but, to provide value tothe merchant, the user B would have to submit at least temporarily tothe terms of the agreement with A. That is, for a limited time period atleast, user B would have to provide the data user A would have provided.The required data could be identified as part of an offer for theexchange, to ensure B agreed to the terms. This would allow users tocollect discounts and exchange them for value if they were not beingused, while the merchant would still presumably benefit from thepurchase as well as the additional data collected about a new user.

Businesses could also target certain recipients for offers. A businessopening a new location in a new metropolitan area want to quickly gatherhabit and shopping information about people in what was considered to bea relevant shopping area, and so could limit the offer to a certaingeography of users. Further, the discount could be higher in order toentice purchasing, but again may only be applicable to those localusers. Or the busines could offer the discount to “missing”demographics, such as a user group the business thought it should beservicing but apparently was not.

Not only does the business get to offer the discount to these missingusers, but it can also gather information on users who agree to theexchange, which can allow it to improve offerings targeted towards thoseusers. This can be a powerful incentive to encourage participation frombusiness, which can more quickly revamp to entice a new demographic.Since the business will be now offering services more appealing to thatdemographic, the demographic benefits as well, by being provided withmore preferable options from the business. Businesses could also excludedemographics or regions, if, for example, they were already fullyservicing certain areas or clientele, they may not want that data, andit may be faster to define which data they do not want than which datathey do want.

Consumers may have similar control and may exclude certain data fromcertain businesses as they see fit, either specifically orcategorically. For example, if consumer data indicated the consumer wason a diet, they may want to share that information with fitness servicesbut exclude that information from fast food services, who may seek totempt the user back to unhealthy food even if, or because, the user datareflects the present intent to diet.

In at least one alternative, the platform could offer competing offersfrom alternative businesses, that may sell a similar good or offer asimilar discount/value in exchange for less data. For example, if a userwas ordering food from restaurant A and delivery service A, deliveryservice B may have a better offer for the same food from restaurant A.If the user frequently used service B as well, the offer may be ofobvious value. On the other hand, relationships between the consumer 100and service A as opposed to service B may reveal a clear preference forservice A over service B and the offer could be avoided.

PDSs and similar data storage solutions may take the form of portableuser wallets completely under control of a user. That is, in oneexample, they may reside exclusively on user devices. The problem withsuch a model is that a loss of access to the store would render thewhole dataset lost, and so a user may still prefer that a secure, andpossibly encrypted, backup of the data be kept in the cloud and updatedperiodically, or as new data is gathered. At the same time, if the userhad direct control over the PDS, the user could dictate which gatewaysand applications had permission to directly interface with the PDS.

An application or website could act as a general point of access for aPDS, whether it was stored locally or in the cloud. Since the data wouldlikely be encrypted in some manner, or at least somewhat confusing ifviewed in raw form, the user would often prefer and interface allowingthem to interact with their data in a more meaningful manner. This couldinclude a local application that did nothing more than present the datamore usefully and run basic queries, responsive only to the user, or itcould include a comprehensive management system that maintained thedata, created value-opportunities, created business-facing opportunitiesto entice value, etc. Any data stored in the PDS, whether under externalor user control, could be encrypted at both the file and data level,which can include having data encrypted at the data level having one ormore additional passwords or keys associated therewith. This may requiremultiple levels of decryption, but may render the data more secure.

FIG. 3 shows an illustrative logical view of a data ecosystem includingthe platform, a security gateway, and public networks. In this example,“public” networks 301 may include unsecured access points outside ofdirect control of the backend platform provider, which can include, forexample, a mobile application 303 for accessing the platform or othermobile applications that reside on top of the PDS and are, for example,approved but not controlled by the platform provider, social media orother websites and applications 305 and/or business partners 307 thathave defined accesses and or existing permissions.

Requests for information to or from the platform 315, which can includedata requests, access requests, exchange requests, new offers, etc. canbe instituted using a common API 313 and pass through a security gateway309 that includes both security review 311 and API request review 313for, for example, proper formatting and usage.

On the backend, business services 317 define the API accesses 319 thatbusinesses can use and commands usable by third-party applications tomodel, view, share, use data, etc., in accordance with defined policy.

The services can also add content to a PDS 321, share content from thePDS 321 in accordance with policy, and delete content from the PDS 321in accordance with policy or direct instruction. Each policy-basedaction could theoretically also be called via a direct request, so thatnew content can be expressly added and/or certain content can beexpressly shared, outside of automatic action by a policy.

Monetization opportunities 323 can be both business and consumer facing,wherein businesses can use the interface to craft opportunities andincentives, or craft spending opportunities for gathered incentives(e.g., cross-service discount usage or use of cryptocurrency or storedvalue). Consumers can view offers and incentives already gathered andadjust their offer-viewing settings, for example, if desired, in orderto obtain more or fewer sharing offers.

Insights and data services 325 can provide vast personal self-knowledgeand an understanding of how other entities view the consumer. This canprovide various consumer-facing information such as profile views,evaluations, timelines, and other analytics.

All of the various business layer services can be supported bymicroservices callable by one or more externally facing services andillustrated in the non-limiting services layer 327. This can includeprocess monitoring 329, analytical models 331, insights 333, businessprocess management 335, monetization services 337 and personal dataservices 339. The business services may provide the connecting servicesfrom the requesting service to the platform. The micro services mayprovide the service which process the data for a specific businessservice or other micro service. Event notifications may includetriggering events that launch a micro service such as data arrival eventin the personal data store.

A data layer 343 can store data objects. The data layer 343 may includedifferent representation of the data. For example, one representationmight be a graph data base, another might be a database, another mightbe file based.

Security services 351 residing on the platform provide ongoing securityover internal requests and include identity management (IDM)/securityaccess manager (SAM—e.g., such as provided by IBM (iSAM)) services aswell as user-account credentials, policies, etc. 355.

The following illustrative processes show several non-limiting examplesof how data and consumer interactions can be handled in a way thatprovides security to a user, transparency over data, policy-controlledinteractions, user assurances of compliance and active negotiation forvalue. Many other illustrative processes are appreciated to be withinthe scope of the illustrative embodiments and the like, and thefollowing are presented to provide a general sense of the scope ofcapabilities of at least certain aspects of the illustrativeembodiments.

FIG. 4 shows an illustrative example of a data management process. INthis example, the platform may receive a request from a user for a siteinteraction at 401. This could be a website request, an applicationlaunch, etc. The active privacy management platform may run in thebackground of both devices and/or browsers and react to any instancewhere anything other than some basic data is requested from a user, orsimply react every time any interaction occurs, since every computerinteraction involves some exchange of data.

Responsive to the request or attempt to navigate to a site or launch anapplication, the privacy platform determines if there are any alertsassociated with the third-party entity at 403. This could be violationsof past policy, security breaches, blacklisted bad-actors, etc. Alertscan be passed to the consumer at 405 and if the consumer still elects toproceed at 407, the process can continue. Even if a previousrelationship was established, new violations of policy or a data breachmay cause the consumer to rethink a relationship or site/applicationusage and may be worth identifying for a consumer 100.

The platform may also determine if the consumer 100 has an existingrelationship with the third-party entity at 409. This would be, forexample, prior interaction either through the platform or prior toadoption of the platform, and a resulting policy may already apply. Ifthe consumer has no prior relationship or defined policy at 409, theplatform may consider whether other consumers have a relationship withthe third-party at 411. If there is no accessible knowledge of anyplatform user having a relationship and policy, the platform mayrecommend a highly restrictive policy at 413.

Using the preferred relationships of others, the platform may model theuser at 415 based on both other user preferences and demographics ofsimilar users, for example. The user may have a tendency to adoptprivacy policies of a certain demographic, or may have personalpreferences that are not categorizable, and weighting can be applied tothe analysis accordingly to recommend an initial policy at 417 that islikely consistent with a user's general preference.

The suggested, or another possible, policy may have value-added offersassociated therewith, and the platform can check for this at 423. Evenif the user already had a policy at 409, and that policy was appliedinitially at 419, there may be new offers at 421 to revert to a new,less aggressive policy and those may be considered by the user at 423 incase the user wants to change policies in exchange for a new offer.

In the case of a new user relationship, the recommended policy mayinclude an offer and/or other less aggressive policies may includebetter offers and so the user may be provided with the better offer aswell as any applicable offer relative to the recommended policy at 425.The offers do not have to be policy-by-policy, as noted, and may insteadpertain to a carve-out for certain data or a change to a use orretention aspect for certain data.

The offer may also require a policy change at 427, depending on whetherit is a one-off offer or a change to policy in exchange for value. Anynew required policy modifications can be performed at 429 and stored forthat user-third-party relationship. Some users may want to avoid thisstep and may have, for example, a default policy setting for newrelationships and/or settings that simply require the platform to useany prior policy unless the user expressly requests change or thethird-party expressly requires change.

Once the policy has been applied or changed and applied, the platformcan handle the interaction at 431. This can include, for example,providing data in accordance with the applied policy and tracking theprovided data at 433. Any deletion requirements applied by the policyand/or user general settings may dictate flagging of certain datasharing for later audit at 435, as discussed in greater detail withrespect to FIG. 5 below.

Occasionally, the third-party may request data that is outside the scopeof the policy (an out of bounds (OOB) request) at 437. This could be arequest for data not covered by the policy, or data restricted out bythe policy, for example. The platform can alert the user of suchrequests at 439 and the user can determine whether to allow the requestat 441. If the request is blocked, the platform blocks the data at 443.As before, the user may have general settings to simply block suchrequests, which may be overridden by, for example, an expressrequirement by the third-party for the data in order to proceed(presenting the allow/block model) but which may otherwise simply blockany non-necessary requests.

If the user allows the request, it may be one time or it may result in achange to the policy at 445. If a modification is requested, this canoccur at 447 and change the policy for that relationship. This may be inexchange for new value, as discussed in greater detail with respect toFIG. 6 below.

Whether or not the policy is changed, if the user approves the requestthe platform allows the data to be passed (and may flag the data andsharing) and then continues to monitor the interaction until theinteraction is fully complete at 451 (e.g., the user leaves the siteentirely, logs off, exits an application, etc.). Any audits necessary orrecommended based on the shared-data may then be scheduled at 453 andany useful analytics may be run at 455.

With regards to the audits, certain users may require or request (oreven pay value for) regular audits of all data supposed to be deletedfrom third-party sites. In other instances, audits may draw from arandom pool of data that was supposed to be deleted, and so schedulingan audit in this context is simply adding the shared to-be-deleted datato the resource pool. The data itself may not be stored, but ratherreferenced and the audit process may have express permission to look upthe values if the audit randomly selects that data fordeletion-auditing.

Users may also define analytics that are preferred after all or certaininteractions. For example, a user may want a “spend” audit after everyinteraction that involved use of financial data for goods. This could bean immediate spend audit (the current interaction) and a longer-rangespend audit related to all spend or spend within a category, forexample. Any other suitable analytics can be run as well, and it is notnecessary to run any analytics at completion if there are no presentanalytics desired.

FIG. 5 shows an illustrative example of a data auditing process. In thisexample, an audit process may contact a third-party site or repositoryon behalf of a user or on behalf of the platform at 501. Audits can berun user-by-user, or audits can be periodic with regards to any entityfor which data-deletion was instructed.

The platform may send an audit request at 503, with which the site orentity may have to mandatorily comply based on existing agreements. Thiscan include, for example, a request for specific data about a userand/or randomized (but specific in the request) data from a group ofusers, representing data that was supposed to be deleted. The requestmay be, for example, a request for all data about users whose data wasincluded in the random set, as opposed to specific data about thosespecific users, so that the full set of what was retained can becontemplated and the entity can be less strategic about response (notnecessarily knowing what will be checked). Of course, entities can lie,but any future audit revealing such a lie and/or breach revealing thatsupposed-to-be-deleted data was compromised could be grounds for legalaction and termination from participation in the platform, so compliancewill hopefully be forthcoming.

Upon receiving the responsive requested data at 505, the audit processcan compare the stored data to the data that was supposed to be deletedat 507, effectively looking for the absence of data, for example. Thatis, user account names and basic information may be permissibly stored,but certain ancillary information may be expected to be not included inthe response.

The audit process may flag at 509 any violations, if any, and proceedwith certain mitigation actions. These actions can include, for example,notifying the affected consumers at 511 as well as launching afull-scale audit to determine if comparable data was stored for allusers when it was supposed to be deleted. Another possible mitigationaction could be automatic modification of all affected user policies orall policies in general, essentially resetting the entity to anaggressive baseline.

Some users may not want the reversion, as they may be agnostic about thedata and/or don't want the hassle of reverting the policy if they stillwant the services, and so personal user settings can dictate whetherautomatic reversion occurs. Any necessary changes can be enacted at 517and both the entity and users can be alerted at 515. The entity may begiven a grace period with which to comply, and/or users can electreversion or non-reversion responsive to the alerts if that approach ispreferable or dictated by user settings. The most draconian approach,short of litigation to enforce deletion, could include a temporary orpermanent ban of services to the entity, or a ban with respect to allusers except those who expressly indicate an interest in continuedbusiness and sharing.

FIG. 6 shows an illustrative example of a data negotiation process. Thisis an example of what may occur when a process requests OOB data, whichcan include data not expressly covered by a policy and/or data outsidethe bounds of a current policy.

In this example, the platform may receive a request for data that isOOB. For example, data not defined by the policy could be requested,such as data not expected by the entity and therefore uncovered by thepolicy. In other examples, the data could include more-secure data thatis restricted or blocked by the policy. The request can also be aretention or use request and does not necessarily pertain to a type orelement of data, but rather a usage or retention of already permitted orcurrently not covered or permitted data. This example provides anon-limiting embodiment demonstrating how a consumer can actively deriveand negotiate value-for-data.

The platform may notify the consumer of the request at 603, includingidentifying any OOB aspects of the request, such as, but not limited to,types of data, retention, use, etc. The third-party may recognize theOOB nature of the request, knowing the relationship, and may furtherprovide a reason for the request which may be passed along to theconsumer.

In this example, the platform will leverage its own analytic capabilityand the premise of thousands of varied value-exchanges to evaluate thevalue of the request in terms of what others are already offering at605. While not necessary, this allows the consumer to make an educateddecision about relative value and determine if the entity is being“fair.” Accordingly, the platform determines an approximate value orrange of value for the request and presents it to the third-party. It isalso possible the third-party has no concept of the market, and so theycan evaluate whether the data is “worth it” relative to their ownplanned usage and the expected cost. The expected value could also bederived based on negotiations for the same data from prior consumers,for example, from the same entity, ensuring some consistency invalue-exchange and further protecting the consumer.

The platform presents the offer to the business first at 607, which mayinvolve negotiating with a machine. If there is no available machinenegotiation on the other end, the request may be blocked until a personcan decide to accept or reject. In other examples, the API can defineparameters for such negotiation, wherein a data-call or a generalprotocol can dictate the confines of offer-acceptance without an activeML/AI entity on the other end engaging in negotiation. For example, abusiness could dictate that it will engage in 2 rounds of negotiationfor 15% less-than and then 100% of fair market value, subject toconsumer acceptance and not-to-exceed $1. That could be coded into arequest or entity profile to enable such negotiations in an automaticmanner without human intervention.

If the business accepts the offer at 609, the offer is then presented tothe consumer at 611. If the business counters at 613, the counterofferis presented to the consumer. Using the simple preceding example, theoffer to the business may initially be at 100% of fair value (asdetermined by the platform) and the business would counter at 85% offair value. If the consumer rejected the offer, or if the business wasout of counters or did not counter, the consumer could present acounteroffer at 617. If the consumer rejected the offer and did notcounter, the process could block the data at 619.

If the consumer countered, the offer could be re-presented to thebusiness at 607, which may also have rules defined for dealing withcounteroffers. Using the preceding example, the business may have afurther rule that as long as the counter is below $1, it will beaccepted, provided that number is not also more than 50% above fairmarket value. If the number is above 50%, the business could againcounter with the final top number (150% of value).

For example, assume the platform determines a data request for one-timeuse of non-stored data is worth $0.60. The business has automatic rulesto first counter with $0.51, but also automatically accept anything upto $0.60 as a counter or as the final offer if the consumer agrees. Ifthe consumer countered with $0.95, the business would re-counter with$0.9, the max value it would pay. If the consumer rejected, they maystill be told that the data would be blocked unless they took the $0.90,allowing them a last-chance. This is merely an example of how a humancan negotiate with a machine and while it is appreciated that a savvyhuman could manipulate the system to always get the max value,especially with a last-chance-best-offer provision, it is alsoappreciated that more complex game-theory could be applied to themachine side of the negotiation to avoid such outcomes.

If the parties can come to an agreement at 615, the process determinesif this is a one-time data provision at 621, or if it results in apolicy change at 623. The impact and long-term effect can be conveyed tothe consumer, so they are negotiating with complete information. Oncethe negotiation is complete, the platform can provide the requested dataat 625 and store any value derived by the consumer at 627.

The illustrative embodiments, aspects of the illustrative embodiments,and the like, provide for elements of a data privacy ecosystem thatshifts the balance of power away from the third-parties that presentlyhold consumer data to at least level the field. Consumers are providedwith presently-missing information about and control over their data, aswell as new opportunities to monetize that data and extract a measure ofits value. The embodiments may also expressly add value to the datathrough homogenization and standardization. Back-end analytics allowconsumers to view new insights about themselves and the conclusions thatare being drawn about them. Portability and security aspects ensureimproved management, optics, understanding and control over personaldata, and generally serve to wrest back data and value from the entitiesthat presently act unfettered.

While exemplary embodiments are described above, it is not intended thatthese embodiments describe all possible forms encompassed by the claims.The words used in the specification are words of description rather thanlimitation, and it is understood that various changes can be madewithout departing from the spirit and scope of the disclosure. Aspreviously described, the features of various embodiments can becombined to form further embodiments of the invention that may not beexplicitly described or illustrated. While various embodiments couldhave been described as providing advantages or being preferred overother embodiments or prior art implementations with respect to one ormore desired characteristics, those of ordinary skill in the artrecognize that one or more features or characteristics can becompromised to achieve desired overall system attributes, which dependon the specific application and implementation. As such, embodimentsdescribed as less desirable than other embodiments or prior artimplementations with respect to one or more characteristics are notoutside the scope of the disclosure and can be desirable for particularapplications.

1. A system comprising: one or more privacy vaults, wherein at least oneof the one or more privacy vaults: is associated with at least oneindividual user; stores contents associated with the associated at leastone individual user; and stores specific identification of a pluralityof third-party entities, authorized to access at least a portion of thecontents stored by the one or more privacy vaults, along with accesspermissions, one or more of the access permissions defined for each ofthe plurality of third-party entities, wherein at least one of theaccess permissions defines accessibility of the contents, for at leastone of the plurality of third-party entities, including a contentretention permission defining the right to retain at least a portion ofthe contents, subsequent to downloading the at least the portion of thecontents and defining a condition after which the at least the portionof the contents downloaded and stored by the third party are to bedeleted; and one or more processors configured to: provide gatewayservices for accessing contents stored by the one or more privacyvaults, including handling access requests, for contents from the one ormore privacy vaults, wherein an access request, from the at least onethird-party entity, is handled in accordance with at least one of theaccess permissions defined for the at least one third-party entity ineach of a plurality of target privacy vaults from which the at least onethird-party entity requests information, to fulfil the access requestfor the contents from a respective target privacy vault according to theaccess permission defined for the at least one third-party entity by therespective target privacy vault; obtain content-retention information,identifying what contents, of outbound contents from at least oneprivacy vault of the plurality of target privacy vaults, and that wereprovided responsive to the access request from the at least onethird-party entity, were retained remotely by the at least onethird-party entity; and compare the identified contents to the contentretention permission of the at least one privacy vault and defined forthe at least one third-party entity to determine if the identifiedcontents were permissibly retained in accordance with the contentretention policy.
 2. (canceled)
 3. The system of claim 1, wherein thespecific identification in the at least one privacy vault includesidentification of each of the plurality of third-party entities.
 4. Thesystem of claim 1, wherein the accessibility includes the right to useat least a portion of the contents for a predefined purpose or the rightto download at least a portion of the contents, as indicated as part ofthe at least one access permission defined for the at least onethird-party entity by the at least one privacy vault.
 5. (canceled) 6.(canceled)
 7. A system comprising: one or more privacy vaults, whereinat least one of the one or more privacy vaults: is associated with atleast one individual user; stores contents associated with theassociated at least one individual user; and stores specificidentification of a plurality of third-party entities, authorized toaccess at least a portion of the contents stored by the one or moreprivacy vaults, along with access permissions, one or more of the accesspermissions defined for each of the plurality of third-party entities,at least one of the access permissions defining accessibility of thecontents,. for at least one of the plurality of third-party entities,including a content retention permission defining the right to retain atleast a portion of the contents, subsequent to downloading the at leastthe portion of the contents and defining a condition after which the atleast the portion of the contents downloaded and stored by the thirdparty are to be deleted; and one or more processors configured to:provide gateway services for accessing the contents stored by the one ormore privacy vaults, including handling access requests, including atleast access requests from the at least one third-party entity; andprovide audit services comprising: obtaining content-retentioninformation; identifying what contents, of outbound contents from atleast one audit-target privacy vault, of the one or more privacy vaults,and that were provided responsive to an access request from the at leastone third-party entity, were retained remotely by the at least onethird-party entity; and evaluating the identified contents based on thecontent retention permission of the at least one audit-target privacyvault and defined for the at least one third-party entity to determineif the identified contents were permissibly retained in accordance withthe content retention permission.
 8. The system of claim 7, at least oneof the one or more processors is further configured to provide contentgathering services for the at least one individual user, includingtracking digital actions of the at least one individual user, gatheringcontents generated by the digital actions, and storing the gatheredcontents in the at least one privacy vault associated with the at leastone individual user for whom content gathering services were provided.9. The system of claim 7, wherein at least one of the one or moreprocessors is further configured to provide value-handling servicesdefined for the at least one privacy vault, enabling the exchange ofvalue from one or more of the plurality of third-party entities for atleast a portion of contents stored in the at least one privacy vault.10. The system of claim 7, wherein accessibility includes the right todownload at least a portion of the contents identified by the at leastone access permission defined for the at least one third-party entity.11. The system of claim 7, wherein the accessibility includes the rightto use at least a portion of the contents for a predefined purpose thatis included as part of the at least one access permission defined forthe at least one third-party entity.
 12. (canceled)
 13. The system ofclaim 7, wherein the condition includes a time duration from a time ofdownload.
 14. A system comprising: one or more privacy vaults, whereinat least one of the one or more privacy vaults: is associated with atleast one individual user; stores contents associated with theassociated at least one individual user; and stores specificidentification of a plurality of third-party entities, authorized toaccess at least a portion of the contents stored by the one or moreprivacy vaults, along with access permissions, one or more of the accesspermissions defined for each of the plurality of third-party entities,at least one of the access permissions defining accessibility of thecontents,. for at least one of the plurality of third-party entities,including a content retention permission defining the right to retain atleast a portion of the contents, subsequent to downloading the at leastthe portion of the contents and defining a condition after which the atleast the portion of the contents downloaded and stored by the thirdparty are to be deleted; and one or more processors configured to:provide gateway services for accessing contents stored by the one ormore privacy vaults, including handling access requests, for contentsfrom the one or more privacy vaults, wherein an access request, from theat least one third-party entity, is handled in accordance with at leastone of the access permissions defined for the at least one third-partyentity in each of a plurality of target privacy vaults from which the atleast one third party entity requests information, to fulfil the accessrequest for the information from a respective target privacy vaultaccording to the access permission defined for the at least onethird-party entity by the respective target privacy vault; and providecontent gathering services for the at least one individual user,including tracking digital actions of the at least one individual user,gathering contents generated by the digital actions, and storing thegathered contents in the at least one privacy vault associated with theat least one individual user for whom content gathering services wereprovided; obtain content-retention information, identifying whatcontents, of outbound contents from at least one privacy vault of theplurality of target privacy vaults, and that were provided responsive tothe access request from the at least one third-party entity, wereretained remotely by the at least one third-party entity; and comparethe identified contents to the content retention permission of the atleast one privacy vault and defined for the at least one third-partyentity to determine if the identified contents were permissibly retainedin accordance with the content retention policy.
 15. (canceled)
 16. Thesystem of claim 14, wherein at least one of the one or more processorsis further configured to provide value-handling services defined for theat least one privacy vault, enabling the exchange of value from one ormore of the plurality third-party entities for at least a portion ofcontents stored in the at least one privacy vault.
 17. The system ofclaim 14, wherein accessibility includes the right to download at leasta portion of the contents.
 18. The system of claim 14, wherein theaccessibility includes the right to use at least a portion of thecontents for a predefined purpose, included as part of the at least oneaccess permission defined for the at least one third-party entity. 19.(canceled)
 20. The system of claim 14, wherein the condition includes atime duration.
 21. The system of claim 1, wherein the condition includesa time duration.